What is Trojan:Script/Ulthar.A!ml?

Trojan:Script/Ulthar.A!ml is a generic detection name assigned by Microsoft Defender to a malicious script. Such threats may belong to different malware families, but to simplify the designation, Microsoft groups them by characteristics.

The majority of known Ulthar A!ml cases are attributed to file archives, both of the .zip/.rar and .jar formats. This implies that the detection refers to a threat that uses code packing. Considering the features of archived files, including virtualization used to run Java archives, it is important to take this detection seriously.

Ulthar.A!ml Malware Analysis

During the analysis of Trojan:Script/Ulthar.A!ml, I’ve detected quite a lot of cases when it was assigned to benign files, i.e. was a false positive detection. Popular malware sandboxes and collections did not contain any fresh samples of the malware detected with this name. At the same time, there were some similar malware samples, which simplified my research.

The signature name gives a couple of clues to start with. Trojan:Script is a header attributed to malicious scripts; “Trojan” part means it may be of any purpose, from gaining initial access to collecting data and delivering other malware. The proper name, “Ulthar“, is not a reference to a Lovecraft book but an umbrella designation of malicious software that shares similar properties. And this is where other clues appear.

As I said, sandboxes do not keep any records regarding Trojan:Script/Ulthar.A!ml, i.e. this specific name. However, VirusTotal keeps the analysis of a malicious program detected as Trojan:Win32/Ulthar.A!ml – not completely the same thing. But the fact that it has the same name means it shares the same core functions with that one Ulthar we are interested in.

So, what is Ulthar trojan? According to the data from several sources, it is a backdoor, with quite a tricky detection and analysis evasion procedure. It in particular checks whether it is running on a VM or the debug environment, and then protects its file and directory it is located in. After doing all these checks and actions, Ulthar switches to collecting system information – most likely, to create a fingerprint and ease the distinction between this machine and others.

Typically for backdoors, Ulthar provides remote access to the system. However it looks like this access is not about a real-time connection, but about remote changes done to the system. Malware grants hackers a lengthy list of things they can do in the infected system. This functionality ranges from editing system registry and directories to launching specific files. The latter, actually, is the biggest potential danger, as it means Ulthar can deploy other malware.

Is Trojan:Script/Ulthar.A!ml False Positive?

As I’ve mentioned, Trojan:Script/Ulthar.A!ml name often appears as a false positive detection. In fact, the majority of online feedback points at this detection pointing at completely legit and safe files, particularly game mods kept in archives. And while malware can be stored in archives, the detections described by different users are related to the files that are quite hard to doubt.

One specific reason why this false detection appears is its origination from the AI detection system of Microsoft Defender. This is, exactly, what the “!ml” particle in the end stands for. The latter has its merits, but may create problems when failing to confirm the detection through other detection systems. But don’t think all the “!ml” detections are false – this would be a costly mistake!

To see whether the file affected by the Trojan:Script/Ulthar.A!ml detection is false positive or not, consider using our GridinSoft Online Virus Scanner. It is completely free, and will show you whether you should be concerned or not in a matter of seconds. Just upload the file, and wait for the verdict.

How to Remove the Trojan:Script/Ulthar.A!ml from PC?

It is not easy to see whether the detected file is malicious or not without special software. I recommend checking your system with reliable and effective software like GridinSoft Anti-Malware. It particularly has a function called Custom Scan, which enables scanning archives – the right thing you may need for this case. After doing so, you’ll be sure for sure if it’s a virus or not. Keep your Anti-Malware updated to the latest version and keep yourself safe when surfing the internet.

The post Trojan:Script/Ulthar.A!ml appeared first on Gridinsoft Blog.

Bitfiat Overview

The Bitfiat process is related to the activity of a malicious coin miner. Such malware uses your computer’s resources to mine cryptocurrencies, mainly Monero or DarkCoin. An unusual part about Bitfiat is its origins: it is based on its own technology rather than using XMRig code. This, however, is the last part where it is different from other malware miners – its behavior is as unpleasant as in other cases.

As for the symptoms, they are typical: it causes the CPU to run at maximum capacity, often reaching 100%. You may also notice that your computer’s fan runs at full speed even when you are not using any programs. Moreover, this process usually appears in Task Manager and consumes the most resources. Although coin miners usually don’t harm your files, they make your system unusable due to an overloaded CPU.

Bitfiat Virus Analysis

Despite having the origins different from the majority of malware miners, the infection chain of Bitfiat is pretty much the same. Let’s start from the very beginning and explore the operations of this malware. Fortunately, there are enough samples to analyze.

Spreading Methods

Bitfiat propagates through various channels, primarily leveraging cracked software and software activators “cracks”. These cracks are often distributed through illicit channels (like torrents) and online forums. It entices users with the promise of unlocking premium software features without needing to purchase. Even though it sounds like fairy tales, unwary users keep downloading such “free” premiums.

Another spreading way is botnets. By paying a coin to the masters of a botnet established with dropper malware, crooks can provide themselves with massive amounts of mining nodes. Thing is, after deploying the malware like a coin miner the entire malware spreading chain will be uncovered, and the dropper will be most likely removed from the machine. To maximize profits, miners are spread along with other “visible” malware, like ransomware or proxyware.

Launch, C2 Connection & Mining

The majority of Bitfiat samples do not have any detection evasion tricks. And, well, how can you evade the detection when your process takes up to 80% of the CPU? Right after launching, the malware performs an IP check, then collects some basic info about the system and connects to the command server.

Command servers used by Bifiat are rather unusual: there is no direct connection to the “main” C2. Instead, malware retrieves the needed instructions from the other infected machine, i.e. they operate like a p2p network. This provides much better stability, up to autonomous existence in the cases when the command server is unresponsive.

The said instructions in a form of config file contain the info about mining pool and crypto wallet address. After executing a few command prompt lines, it starts the mining process. And this is the point where the most noticeable sign of a malware miner activity appears – overloaded CPU and a strange process in the list of running programs.

How To Remove Bitfiat?

Effective removal of the crypto miner requires a complex approach to neutralize all malware actions. Unlike other types of malware, a miner can overload the system so that the removal tool has no resources left. To avoid these issues, the removal guide should have one more step.

• Download and install GridinSoft Anti-Malware. The first thing to do is to deploy the removal tool, even though it will be used later.

• Switch your Windows to Safe Mode with Networking. By booting into the Safe Mode with Networking, you prevent the Bitfiat process from exerting its influence on the CPU. This will facilitate uninterrupted removal by antivirus software.
• Start the Full Scan. By running a Full Scan, you make the program check every single element of the system. Such a thorough scan is essential to ensure that all the malware present in the system is removed. After the scan, click “Clean Now” to get rid of all the detected items.

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

Trojan:Script/Phonzy.B!ml Overview

Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender uses to mark small malware families. Such malicious programs may have similar behavior and code elements but belong to different groups.

For functionality, Phonzy.B!ml is a scripted dropper malware. Its main purpose is to download and launch the additional malware in a manner that does not require user interaction. However, Phonzy samples are able to collect some basic information regarding the system, like location, OS version, and things the like. A typical payload delivered in Phonzy malware attacks is banking trojans – a specific type of stealers, which aims precisely at online banking information.

Is Phonzy B!ml False Positive?

The deeper look at the naming convention Microsoft uses in its detection names shows that the “!ml” particle stands for “machine learning”, meaning their AI detection engine has detected the file. Despite being highly effective and promising, it requires the confirmation of a signature detection system. Without this confirmation, it is particularly easy to get a lot of false positive detections.

Unfortunately, there is barely a way to distinguish between real and false detections. Modern malware does its best in hiding among legitimate programs and files, so file locations are not informative. That is the reason why I recommend scanning your system with GridinSoft Anti-Malware.

Phonzy.B!ml Technical Analysis

Since Phonzy is a generic detection name, it is rather hard to find a well-known sample to analyze. For that reason, I’ve done a comprehensive analysis of several ones – to have a better understanding of what this malware is capable of. In short – a rather simple dropper that can make a huge mess in the system it infects.

Launch & Unpacking

The majority of Phonzy samples that I’ve encountered arrive in a packed form – encrypted and/or archived. This is usually done for 2 reasons – to avoid the static detection and complicate the analysis. In the case of Phonzy, I’m leaning toward the first option.

To perform the unpacking, Phonzy relies on the script that downloads it to the system. Usually, this is a PowerShell script that pulls the dropper from the intermediary server, and it is also responsible for launching one. A part of it is responsible for unpacking and launching the sample after downloading.

Gathering system information

Once launched, Trojan:Script/Phonzy.B!ml collects basic information about the target system. This may include the operating system version, hardware information, a list of installed programs and devices, and the device’s geolocation. Such information is mostly needed to fingerprint the system, i.e. give it a specific name corresponding to its internals. In addition to system info, some of the Phonzy.B!ml samples were able to take screenshots of the infected device’s screen.

Contacting Command & Control Server

The next step in the attack is contacting the command server. Malware sends an HTTP POST request to the C2, to notify about a new infection and send the collected data. Depending on the server response, malware may switch to idle or start downloading other malware. Overall, the C2 communications for Phonzy is simple and insignificant.

Delivering other malware

The key action of Phonzy Trojan is, obviously, deploying other malware samples to the infected system. It receives the instructions from the C2 in a form of IP address it should pull the payload from, and the way this payload should be launched. Usually, the said IP address corresponds to a compromised website that hackers use as an intermediary server.

For the ways to run the payload, the options are quite typical for droppers. All of the Phonzy samples I’ve analyzed were able to work with DLLs and executable files. The former can be launched through DLL hijacking and a hookup to the system DLL, while the latter is about the regular .exe run.

Self-Propagation to USB Drives

Some of the inspected variants are Phonzy.B!ml were capable of self-propagating via attached flash drives or other removable storage media. This is a rather unusual trick for modern malware, as security vendors elaborated the ways to detect virus-like spreading long ago. Nonetheless, you cannot deny effectiveness – a single infected USB drive is capable of infecting dozens of other systems without even a single click from malware masters.

How To Remove Trojan:Script/Phonzy.B!ml

To remove Phonzy B!ml, I’d recommend using GridinSoft Anti-Malware. The fact that dropper malware can spread a lot of other malware requires using advanced software to remove it all. GridinSoft Anti-Malware will check every little bit of the system and eliminate even the stealthiest malware. Launch a Full scan, wait for it to finish and remove the detections – that will clean up your system.

Safety Recommendations

To avoid infection of your system, it is sufficient to follow basic cyber hygiene. The first rule is to avoid pirated software and sites that distribute it. Cracked software is an ideal shell for malware delivery, so it is not just about being careful – it is about staying away.

Having an advanced protection tool, like Gridinsoft Anti-Malware, is another key to make your system secure. Proactive protection coupled with an AI detection engine will weed out all the attempts of malicious software to get in. Also, its Removable Device Protection feature will block the Phonzy trojan attempting to infect the system via an USB drive.

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

What is Oneetx.exe process?

Oneetx.exe is a disguised name chosen by Amadey dropper developers to hide their malware among other processes. Windows tracks all processes running in the system and displays what it found in Task Manager. Obviously, obfuscated names like sv39103.exe will attract attention and raise suspicion. That is the reason why hackers opt for some ordinary names. Their often choice is system processes or ones related to popular software packages, like Photoshop or crypto mining software. This case, however, is different.

It appears that oneetx.exe does not belong to any program. Moreover, Google contains clear clues that this process belongs to malware that has acted as a backbone of the Russian botnet since 2018. The most obvious guess is, of course, Emotet malware. It is known for having possibly the most extensive networks on the planet. However, in this case, the short research showed the relation of oneetx.exe to the Amadey dropper.

What is Amadey?

Amadey is a dropper (a.k.a downloader) malware, that has only one purpose – deliver other malware to the infected system. It often acts as a precursor, that makes sure the system is not in a banned region and is not a debug environment. It can deliver a wide range of threats – from the aforementioned Emotet to RedLine stealer and even STOP/Djvu ransomware. Even after delivering the payload, it remains active, waiting for other commands from hackers.

Aimed at long-term stay in the system, Amadey does its best in hiding from users and anti-malware software. Choosing an unremarkable name is only a small part of the way it disguises itself. First of all, each of its samples is repacked in a specific way, making it harder for antiviruses to detect. Amadey typically arrives within phishing emails with attached Office documents. Upon execution, malware moves its files from the original directory to the other folder, depending on the antivirus software present in the system. All these actions make it a pretty tough nut for “classic” antiviruses.

IoC Amadey Dropper

• Trojan.Win32.Amadey.tr: 8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
• Trojan.U.Amadey.tr: 2cdda26cc29f1ab91873bf2de8af2627aa7fa73002cb490f2f1ab73ff824ebf8
• Trojan.Win32.Amadey.tr: 4e3b1632008b15ff18717ee30e1209c4328f618232f85db9c1e4a8a418de02d8
• Trojan.Win32.Amadey.tr: 1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
• Trojan.Win32.Amadey.tr: 5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c
• Trojan.Win32.Amadey.bot: d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
• Trojan.Win32.Amadey.bot: 362d8f8fcc698554a750a5dfb1e261eb3b5442fb4bfe4746c8ba9431ec944305
• Trojan.Win32.Amadey.bot: 4496c76b89febda6091e6427c08fd88dcb7d97df60d9406e06b01c38e0cd7db4
• Trojan.Win32.Amadey.bot: 536980bcf6e3edcac4c0c293a1dd0a1a49c27db1fc4539e86923f278ed603cc6
• Trojan.Win32.Amadey.bot: d8076ef5647c95dd39b2add05950119f7e0f004baea9314da7b0084527225aa7

How to remove Oneetx.exe?

You will likely fail to remove Oneetx.exe from your system manually. It performs a row of actions for persistence provision, which forces the user to locate and remove all the changes it does to the system before touching the files. For that reason, I’d recommend using GridinSoft Anti-Malware – a program that specialises in removing threats like Amadey dropper.

The program will not only help you with removing this malware, but also prevent any further infections. Its detection system makes it effective even against the newest tricks – regardless of the way they’re packed. However, anti-malware software should be your last line of defense. To stay secure, it is better to avoid any muddy waters at all. In the case of Amadey malware, the key is to be vigilant when you deal with email messages. Read our detailed analysis of modern spam emails and the way to recognise them.

The post Oneetx.exe – What is that process? Oneetx Removal appeared first on Gridinsoft Blog.

In the context of network threats, many users still manage to neglect suggestions to protect their computers with security software. Choosing an antivirus solution among the many presented on the market, installing it, configuring it, and eventually tolerating a part of system resources spent on its work seems overkill and not worth the effort. We can only remind that safety measures always seem excessive until they stand in good stead.

In the current article, we will help you sort out one thing: what happens to a computer infected with malware and what is the point of using an antivirus.

What is malware and what does it do?

First of all, you should understand what malware is. “Malware” is a portmanteau for “malicious software;” it is a name for harmful programs. Malware is one of many types of threats. There are also scripts, which are not executable files, and there are other network-based threats, such as phishing, that are not directly related to programs that infect the victim’s computer.

Now let us see what malware does from the standpoint of the attacker. The list of damages types below may not be exhaustive, but it summarizes the harm hackers usually inflict by malware nowadays and the reason for such their activities.

Data theft

Hackers use the spyware (a category of malware) to carry out data thefts. These can be completely different programs, united by only one thing – their spy function. For example, both a keylogger, a program that records all user’s keystrokes, and a spying rogue browser, in terms of their goals, constitute the same group – spyware. These types of programs differ in their abilities. Some simply transfer your browsing history to third parties, others, as already mentioned, can record keystrokes, and others are generally able to intercept your traffic.

All of the above-mentioned actions require the CPU’s background work. So, in addition to the actual harm brought to you, spyware slows down your computer.

The worst thing that can happen to the user from the spyware attack is identity theft and its grave consequences. Stolen financial credentials are also a danger of losing all the money from the account.

Cryptocurrency mining

There are special programs either injected into systems as Trojans (disguised as something else) or downloaded with the help of other Trojans (so-called downloaders) whose sole purpose is to direct the resources of the infected device to mining cryptocurrency (for other people, understandably.) Since mining coins is a cryptographic work, the miner malware delegates this task to the victim’s computer, and the CPU performs the part of the work that it can handle.

The visible consequences of such invasion are a running speed decrease on the infected machine and the Internet connection becoming slower.

Involvement in a Botnet

Botnets are networks of computers with specific malware installed on them that allows a remote hacker to command them all at once and thereby benefit from their quantity. The entire army of computers under hackers’ control is a different story compared to one machine hacked. It allows a new and much broader scope of action. For example, DDoS attacks involving thousands of bots would be simply impossible to pull off without a botnet technology. The same is true for automatic comment posting used in politics widely. Another activity of bots can be the further spreading of the botnet. A large botnet nowadays can amount to tens of millions of infected machines.
As for the users of the infected machines, all the botnet activities take place unbeknownst to them. The only tangible effect is the overloaded CPU and mysterious Internet traffic.

Advertisement flooding

Adware is a wide range of software that includes overt malware and so-called potentially unwanted applications (PUPs.) Adware, if malicious, turns your browsing experience into something like the Las Vegas Strip: bright flashing banners pop up all the time, blocking the view of the webpage you are trying to read. Moreover, the adware can insert ad links into the plain text on the web pages you view to trigger your clicking. And some adware can even affect your offline work – the banners can appear just anywhere within the OS, not only in the browser.

Many types of programs fall into the adware category according to their function. These can be easy-to-remove browser extensions, rogue browsers, various “handy” applications, etc. However, some adware executables don’t show themselves and appear as some undistinguished process in your Task Manager.

Adware effects are self-evident, and they encourage sanitizing the computer. But you must clear the adware if you were unlucky to catch it. Its presence is fraught with other malware infections.

Encryption of data files

One of the nastiest malware types is ransomware. After this program lands on the victim’s device, it encrypts all data files of preset types and leaves a ransom note to the victim. The encoded files get an additional extension, and access to them becomes impossible. The ransom note reads how and how much the victims should transfer to the racketeers in cryptocurrency to get their files back. Cybercriminals usually send their victim a decryption key after they get paid so that their next victims pay as well and still trust the scheme.

Ransomware attacks are the first viable profit-generating malware-involving scheme. Annual profits of the racketeers amount to millions of dollars. Nowadays, ransomware is rampant.

Taking control over the system

One class of malware is considered extremely dangerous because, if employed correctly, it allows hackers to do virtually anything with the system and control it as if they were its administrators. These programs are called rootkits, and their most threatening capacity is to establish a backdoor, a detour of access limitations, allowing a hacker to control the system by giving commands from its infected core. The damage from an attack using such means is limited only to the attackers’ goals.

What happens when your device gets infected by malware?

Let us briefly summarize the symptoms of a malware infection regardless of the particular threat you might be facing. If you have read the previous section attentively, you can even guess some malware types by symptoms alone.

• Slow PC and crashing programs are expectable effects of many malware kinds. If a program (or several of them) works in a background unbeknownst to you, especially if it is a heavy resource-sucking process like crypto-currency mining, your PC’s productivity will be tangibly affected by it.
• Lack of storage – some malicious infections imply taking your HDD space for their purposes, leaving not enough for your everyday operations.
• Slow Internet. Even if CPU productivity remains sufficient, your Internet connection will feel less effective. Of course! Many malware types generate their own traffic that uses your bandwidth.
• Spam reports. If your email and social media acquaintances begin complaining that you send them spam via direct messages or email, be sure that your account hijacking most likely happened with the help of malware.
• Advertising pop-ups and applications you never installed are typical and intended consequences of adware infestation. Besides the danger of clicking on adware-fetched banners, aren’t they just inconvenient?
• Weird extensions added to data files. Well, here we are. It’s ransomware. All encrypted files are inaccessible, and you need to pay if you want them back. So much for carelessness on the Internet.

How to avoid getting infected by malware?

1. Stay vigilant! And make sure your personnel is acquainted with the basic security rules if we talk about a workgroup. A lot of things depend upon users themselves. Hackers often introduce malware into systems via human vulnerabilities like inattentiveness and gullibility. Social engineering is an integral part of cyber warfare. For example, the implementation of phishing attacks does not require malware at all. However, infection of the targeted machine with malware may well be a goal of a phishing attack.
2. Do not click on unknown email attachments, links, or banners. At least think twice or even thrice before you do. The easiest way for malware to get onto a victim’s machine is via scripts, a malicious code fitted into files or websites users voluntarily download and access. You just have to realize whence the threat comes – from deceptive emails, messages, and advertising.
3. Update your operating system regularly. Not only will updates keep the OS in-built security ready to face the latest threats, but they will also stop hackers from exploiting vulnerabilities that often occur in between update procedures. Antivirus software, by the way, also works better when the system is up-to-date.
4. Use 2-factor authentication wherever it is possible. Google, for example, being aware of the threat of social-engineered hacker attacks, made the 2FA mandatory. The feature simply makes you confirm your identity on your other device when accessing an online account.
5. Install a trustworthy antivirus program. Everything said above is valid, and it works. But it is simply unrealistic to hold out on vigilance alone. All the precautions we have listed give the desired result only in cooperation with a reliable security program. Further, we will reveal how anti-malware software works and what it does.

How can antivirus help?

We were going to share the ideas on benefits of using malware protection. But it seems we were So what does an antivirus do? Let’s take Gridinsoft Malicious Software Removal as an example. This program offers triple protection.

First comes the so-called On-Run protection. The program registers everything “new” that appears on your machine, and before any incoming file could harm, the program scans it. If the program recognizes the file as malicious or unwanted, it immediately sends the item to quarantine. Further, the user can decide what to do with it – delete or restore.

Another function of anti-malware is Internet protection. It blocks hazardous websites and warns you about suspicious ones. Websites are recognized as dangerous after the detection of malicious scripts in them, while the absence of an SSL certificate is a ground for considering them suspicious. These blocks and warnings are overridable but very handy in most cases.

The most time-consuming but necessary feature in case of infection is a deep scan. You can choose options for scanning: the more encompassing scan will take more time, but the probability of malware eradication will be higher. Certain types of malware can be detected and removed only with the help of such deep scanning.

Parting wishes

Combining different virus detection methods in its architecture, the Gridinsoft product demonstrates versatility and effectiveness. It performs well on home and corporate machines. You can use this software as a primary security system for your device or as an additional antivirus scanner. With its efficacy, the solution is cost-effective.

As for the benefits of using antivirus in general, they are undeniable. The danger seems far-fetched before the first contact with its source. And cybersecurity is no exception. Nevertheless, your doubts will vanish at the first encounter with any dangerous Trojan, hopefully, removed by a security program.

The post Benefits Of Using Malware Protection appeared first on Gridinsoft Blog.

The commercial element makes the danger more tangible and serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Attacks

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include: Conti ransomware, Matrix ransomware, Makop ransomware, STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware Attacks

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware Attacks

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijackers are not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Virs Malware Attacks: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for the malware is constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.The World Wide Web is not a hostile realm by itself, but any Internet user should be aware of the dangers lurking on the Net. If earlier harmful software was just fun for the hackers or vandalism in the worst case, today, malware attacks are a viable business model.

The commercial element makes the danger more tangible and more serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or various state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Analysis

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include:Conti ransomware, Matrix ransomware, Makop ransomware,STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of this malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijacker is not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Malware: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for malware attacks are constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.

The post TOP 9 Malware Attacks: Compilation 2022 appeared first on Gridinsoft Blog.

What is Safe Mode in Windows?

Safe Mode is a setting available in every Windows Operating System (version 7 and later), and it is the last option you should get before you decide that the operating system is beyond repair. It allows you to repair system errors that could put your PC at risk, such as a computer virus and temporarily restores the system to the previously healthy state.

This system mode means that a great number of system services will not start together with Windows (as it usually does). Besides system services, Windows also ignores the programs in the startup list. It may cause sound or graphics problems, but the main benefit is much bigger. Originally, this model was designed to make the diagnostics process easier. While most system elements are not running, you can easily understand if the problem is related to hardware issues or if there is a software bug. However, it also gives a huge handicap in malware removal.

Safe Mode in malware removal process: why is it needed?

In most cases, malware removal can be performed without additional activities: launch your anti-malware program, scan your PC, and you’re good to go. But things turn worse when we talk about something more complicated than adware or unwanted programs. Most of the modern ransomware variants, as well as spyware and backdoors, can prevent the anti-malware software from launching. Moreover, they can even forbid the launch of AV-tool installation files. Such viruses as coin miners, on the other hand, create a problem in another way – just by consuming almost 90% of your CPU power. None of the antivirus programs will be able to run correctly in such conditions.

Safe Mode allows you to ignore malware changes to your PC. All prohibitions or autorun entries will not be compelling when the system has the rule to run with a minimal (~10%) amount of settings. Hence, malware will not be able to affect the antivirus program job directly or through the changes in system settings. Sure, such a system mode is not comfortable for everyday use – but who said that a special troubleshooting mode could be used for a regular job?

How to enter the Safe Mode?

Since the appearance of this ability in Windows 7, the access to this system mode and its appearance have changed two times. In Windows 7, you need to press Win+R to call a Run window, then type MSConfig and press Enter. In that window, opt on the Safe Mode with the suboption Minimal. Press Apply and OK to save the choice.

Then, the system will offer you to reboot the computer – for the changes to take effect. Apply this action – and you will be booted just to the needed system mode. Choose Safe Mode with Networking and proceed to malware removal.

I

n Windows 8, this procedure was made more accessible – you need to click the Reboot button while holding the Shift key on your keyboard.

Then, in the Troubleshooting screen, you need to choose to Troubleshoot → Advanced Options → Startup Settings → Safe Mode with Networking.

How to remove malware using Safe Mode?

As I have mentioned, Safe Mode disables most of the Windows Services, leaving only ones that are crucial for system work. The problem is that Windows Defender is disabled in Safe Mode, too. You cannot wake it up until you boot your PC into a standard Windows mode. To remove malware in that system mode, you must install a separate anti-malware program. Precisely, the networking is needed to install it after entering the Safe Mode – malware can block the installation.

GridinSoft Anti-Malware will be a perfect solution for removing malware using Safe Mode. This anti-malware tool has its detection databases updated hourly; it also offers Proactive Protection, which allows you to protect the system in the background. Together with the overall lightweightness of this program, it will be a perfect option for any system.

The post How to Remove a Virus From a Computer in Safe Mode appeared first on Gridinsoft Blog.